Friday, May 19, 2017

Tracking wired client behind Aruba AP

So you have setup with Aruba RAPs that bridge their wired ports to VLAN on controller. Web interface only tracks wireless clients so you have no idea what AP client with particular IP is connected to.

Login to controller CLI using SSH. Read-only access is enough, no need to be admin.

First we need to find MAC for IP

(PYONGYANG-WLC-1) #show arp | include 10.42.235.4
Protocol        Address         Hardware Address        Interface
Internet        10.42.235.4     A4:6F:D9:E8:FF:15       vlan2504

So now we know MAC, lets find tunnel it's bridged over.

(PYONGYANG-WLC-1) #show datapath bridge | include A4:6F:D9:E8:FF:15

Datapath Bridge Table Entries
-----------------------------

Flags: P - Permanent, D - Deny, R - Roamed Client, M - Mobile, X - Xsec, A - Auth, T - Trusted

      MAC          VLAN  Assigned VLAN  Destination  Flags    Age
-----------------  ----  -------------  -----------  -------  ----
A4:6F:D9:E8:FF:15  2504  2504           tunnel 196            0

If you're interested you can use same command to check for any other clients connected to same AP.

(PYONGYANG-WLC-1) #show datapath bridge | include "tunnel 196"
A4:6F:D9:E8:FF:15  2504  2504           tunnel 196            0
A4:6F:E5:15:37:08  2504  2504           tunnel 196            0
A4:6F:72:53:47:3E  2504  2504           tunnel 196            0

Now that we know tunnel ID we can use it to lookup temporary AP IP

(PYONGYANG-WLC-1) #show datapath tunnel | include 196

Datapath Tunnel Table Entries
-----------------------------

Flags: E - Ether encap,  I - Wi-Fi encap,  R - Wired tunnel,  F - IP fragment OK
       W - WEP,  K - TKIP,  A - AESCCM,  G - AESGCM,  M - no mcast src filtering
       S - Single encrypt,  U - Untagged,  X - Tunneled node,  1(cert-id) - 802.1X Term-PEAP
       2(cert-id) - 802.1X Term-TLS,  T - Trusted,  L - No looping, d - Drop Bcast/Unknown Mcast,
       D - Decrypt tunnel,  a - Reduce ARP packets in the air, e - EAPOL only
       C - Prohibit new calls, P - Permanent, m - Convert multicast
       n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
       V - enforce user vlan(open clients only)
       H - Standby (HA-Lite), c - IP Compression, g - PAN GlobalProtect Tunnel

#       Source           Destination    Prt  Type  MTU   VLAN Acls                     BSSID             Decaps     Encaps     Heartbeats Cpu QSz Flags  EncapKBytes  DecapKBytes
------  --------------  --------------  ---  ----  ----  ---- -----------------------  ----------------- ---------- ---------- ---------- --- --- ----- ------------- -----------
196     192.168.8.36    172.17.0.81     47   8110  1200  2504 0   0    2    0    0     00:1A:1E:01:45:13    2019039    1972939          0  13   0 TEPR

Almost there - now just check what AP has that IP

(PYONGYANG-WLC-1) #show ap database | include 172.17.0.81

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP; s = LACP striping
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
       c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
       u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP
       i = Indoor; o = Outdoor
       M = Mesh node; Y = Mesh Recovery

AP Database
-----------
Name             Group             AP Type  IP Address    Status               Flags  Switch IP     Standby IP
----             -----             -------  ----------    ------               -----  ---------     ----------
PYONGYANG-RAP25  RAP-PYONGYANG    RAP-3WN  172.17.0.81   Up 11d:5h:15m:38s    Rc2    192.168.8.36  0.0.0.0

That's it. Problem client is connected to RAP25.

No comments:

Post a Comment

Got something to say?!